The primary authentication protocol for the next version of the Windows NT domain will be Kerberos authentication. Kerberos credentials consist of the domain and user name (which could be in the form of Internet friendly names, such as DeannaD@Microsoft.com), and the Kerberos-style encrypted password. When the user logs into the system, Windows NT obtains one or more Kerberos tickets to connect to network services. The Kerberos tickets represent the user's network credentials in the Kerberos-based authentication.
Windows NT automatically manages the Kerberos ticket cache for connections to all network services. Tickets have an expiration time and occasionally need to be renewed. Ticket expiration and renewal is handled by the Kerberos security provider and associated application services. Most services, such as the file system Redirector, will automatically keep session tickets up-to-date. Regular ticket renewal gives added session security by changing the session keys periodically.